There has been a lot of news about data breaches and organizations that have failed to enhance their security and subsequently fallen victim to hackers who have successfully exfiltrated large amounts of sensitive data. The 2014 Verizon Data Breach Investigation report shows that while web application attacks were involved in only 6% of incidents, they were associated with 35% of successful breaches. In fact, web applications attacks represented the single largest vector involved in the breaches reviewed in the report! It is clear that organizations need automated and scalable tools that improve how they discover, catalog and test web applications to ensure that security vulnerabilities are quickly identified and remediated. The report also indicates that while the majority of compromise and exfiltration activities happen within hours, most organizations only discover and contain web application attacks in days or weeks.

Qualys Web Application Scanning (WAS) 4.1 addresses this gap with tightly integrated virtual patching protection with the Qualys Web Application Firewall (WAF) solution to ensure that applications can be hardened against attack and compromise in a matter of minutes.

Feature highlights include:  Integrated virtual patching with Qualys WAF service.  Proxy support for internal appliances to ensure Qualys WAS can reach all the web applications in an organization’s environment, and provide customers with full logging capabilities at scale.

Continue reading …

It is no surprise that web application attacks are the highest frequency breach incident classification based on the findings in the 2014 Verizon Data Breach Investigation Report (DBIR).  This information just confirms what most organizations are already seeing – that there has been a dramatic increase in the number and scope of web application attacks against web properties that are the critical revenue generating assets of the business.  To combat the increase in the intensity of attacks,  organizations need to improve their ability to identify web application vulnerabilities before they can be exploited.  Organizations need a way to easily and cost effectively discover and scan all the web application in their environments so they can find and fix security vulnerabilities before they cause legal and financial impact.  Organizations need automated and scalable tools that improve the coverage and flexibility of web application vulnerability scanning, while adding more powerful reporting features to ensure that the right stakeholders receive the targeted metrics they need to ensure the vulnerability scanning program is efficient and effective.  Qualys WAS 4.0 provides organizations with the increased scan coverage and enhanced reporting capabilities organizations need to keep their web applications hardened against attack and protected against business disruptions.

Feature highlights include:  Progressive scanning to enhance vulnerability testing coverage and provide automated test continuation from scan to scan, enhancing scan results and enabling more flexibility in scheduling scans that will ease the burden on understaffed IT Security teams.  The new Reporting Templates will also enable organization to deliver targeted application security metrics to each stakeholder in the program, whether it is an executive who needs a high level overview of the program, or a developer that needs vulnerability details for one web app he is responsible for.  Additional enhancements to exclude tagged applications and randomize MultiScan also gives organizations better options to manage the impact of scalable scanning on their environments.

Continue reading …

The news is out and and everyone is talking about it… Shellshock is a major vulnerability that has wide ramifications for most enterprises. Understanding the risk to its customers, Qualys quickly developed authenticated tests for its Vulnerability Management (VM) solution that can definitively identify the vulnerability. This was followed by the development of a remote check that detects the presence of the Apache CGI attack vector in common locations on web servers.  Qualys Continuous Monitoring (CM) customers were immediately able to create alerts based on these detections.  Qualys then moved on to develop a more comprehensive remote check via the Web Application Scanning (WAS) solution. Qualys also confirmed that the new Web Application Firewall (WAF) solution is able to protect websites that may be vulnerable. So as of today, Qualys customers have a number of ways to not only detect this high risk vulnerability, but also to get automated alerts and protect their organization’s websites.

Continue reading …

Recent news articles make it clear that the pace and scale of malicious attacks on enterprises is increasing. The challenge for organizations is how to match the increase in attacks with their ability to detect the vulnerabilities targeted by the attackers.  Further complicating the ability of enterprises to defend against these attacks is that as networks have become more hardened, attackers have increasingly turned to application level exploits that bypass network security controls like firewalls.  To combat the increased risks represented by these new realities, organizations need a way to cost effectively scan and discover all the web application vulnerabilities in their environments.  However, running a highly scalable scanning program can be a complex undertaking without tools that are easy to setup, configure and manage over time. Qualys WAS 3.6 provides organizations with the ease of use, centralized management and integration capabilities they need to keep the attackers at bay and their web applications secure.

Feature highlights include:  Support for rerunning any report with the same configuration, adding web application assets that exist for other services (like WAF), scan auto reschedule, export of links crawled, new findings and option profile APIs,  and additional usability enhancements.  Together, these new features enable organizations to support high volume and fully automated web application scanning across their complete web application portfolio.

Continue reading …

Sophisticated web application security programs often require close coordination with application development, quality assurance and production support teams. For many organizations, production support teams create specialized processes to manage test data associated with web application vulnerability scanning. These organizations need tools to ensure that vulnerability scanning injects data with specific signatures or content so that they can identify and delete the data after testing is complete. They typically need multiple different signature sets to support concurrent testing by their different business units. In addition, these organizations need a way to track the execution time of vulnerability scans against previous scans, both because this provides more accurate estimates of scan duration and because it helps quickly identify slower-than-expected application response times. Qualys WAS 3.5 provides organizations with these capabilities to enable a best practices web application scanning program on all their web properties.

Feature highlights include:  Support for creating and managing multiple sets of custom form parameters and enhancing the scan progress status information to include time estimate based on previous scan times. Together, these new features enable organizations to support high volume and fully automated web application scanning across their complete web application portfolio.

Continue reading …

Attackers are increasingly exploiting web application vulnerabilities to breach security defenses.  As the importance and number of web applications has increased, the challenge of identifying security vulnerabilities and fixing them has become one of scale.  Many organizations have hundreds or even thousands of web properties that need to be triaged for security weaknesses, but until now the solutions available have not supported the scale required to automatically and accurately scan all the web properties that today’s enterprises rely on. Organizations need a highly scalable and easy-to-use vulnerability scanning solution to enable their growing web application security programs.  Qualys WAS 3.4 provides organizations with the capabilities they need to meet these new demands and execute a best practices web application scanning program on all their web properties.

Feature highlights include:  Support for scanning thousands of web applications with MultiScan, consolidated tag management within Asset View (formerly Asset Management), and additional usability enhancements.  Together, these new features enable organizations to support high volume and fully automated web application scanning across their complete web application portfolio.

Continue reading …

QualysGuard WAS 3.3 provides enhanced management of web application information and data filtering options along with usability enhancements.

Feature highlights include: Bulk editing of web applications, filtering sensitive content detections, enhanced report storage management, and additional scan cancellation options.  Together, these new features save organizations time and enable organizations to run a more effective and efficient web application security program.

Continue reading …

QualysGuard WAS 3.2 provides improved control over how and when scans are performed and boosts the efficiency of developers in diagnosing issues with their web applications.

Feature highlights include: A granular scan progress display, specific scan cancel time, binary file exclusions and many usability enhancements.

Continue reading …

The recent Global OWASP AppSec conference the week of November 18 – 22 at the Marriott Marquis in New York City was a great way to learn more about the latest trends in application security and exchange ideas with other application security professionals.  The conference included updates on many of the OWASP projects as well as some interesting presentations such as:

• OWASP Zed Attack Proxy – Simon Bennetts
• Hack.me: a new way to learn web application security – Armando Romeo
• The Perilous Future of Browser Security – RSnake

Continue reading …

QualysGuard WAS 3.1 will be released in production in mid-November and includes a number of new features and enhancements to existing capabilities.

Highlights include: A new web application tree to navigate the layout of a scanned site,  authentication records that can be reused for multiple web applications, and CVSS scores in web application and scan reports.

Continue reading …